Skip to content
  • Analysts
  • Contact Us
  • Services

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Analysts
  • Contact Us
  • Services
Friday, December 03, 2021
CONTInuing the Bazar Ransomware Story
adfind bazar cobaltstrike conti ransomware

CONTInuing the Bazar Ransomware Story

November 29, 2021

In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti … Read More

Exchange Exploit Leads to Domain Wide Ransomware
APT35 exploit Fast Reverse Proxy Plink ProxyShell ransomware

Exchange Exploit Leads to Domain Wide Ransomware

November 15, 2021

Intro In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case … Read More

From Zero to Domain Admin
cobaltstrike exploit hancitor

From Zero to Domain Admin

November 1, 2021

Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a … Read More

IcedID to XingLocker Ransomware in 24 hours
adfind cobaltstrike icedid mountlocker xinglocker

IcedID to XingLocker Ransomware in 24 hours

October 18, 2021

Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early … Read More

BazarLoader and the Conti Leaks
adfind bazar cobaltstrike

BazarLoader and the Conti Leaks

October 4, 2021

Intro In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while … Read More

BazarLoader to Conti Ransomware in 32 Hours
bazar cobaltstrike conti

BazarLoader to Conti Ransomware in 32 Hours

September 13, 2021

Intro Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown … Read More

Cobalt Strike, a Defender’s Guide
cobaltstrike Tools

Cobalt Strike, a Defender’s Guide

August 29, 2021

Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we … Read More

Trickbot Leads Up to Fake 1Password Installation
cobaltstrike trickbot

Trickbot Leads Up to Fake 1Password Installation

August 16, 2021

Intro  Over the past years, Trickbot has established itself as modular and multifunctional malware. Initially focusing on bank credential theft, the Trickbot operators have extended its capabilities. More recently, Trickbot … Read More

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
adfind BazarCall cobaltstrike conti ransomware trickbot

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike

August 1, 2021

Intro This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which … Read More

IcedID and Cobalt Strike vs Antivirus
adfind cobaltstrike icedid

IcedID and Cobalt Strike vs Antivirus

July 19, 2021

Intro Although IcedID was originally discovered back in 2017, it did not gain in popularity until the latter half of 2020.  We have now analyzed a couple ransomware cases in … Read More

Posts navigation

1 2 … 4 Next

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Follow us on Twitter

My Tweets

Recent Posts: The DFIR Report

Ryuk in 5 Hours

Ryuk in 5 Hours

Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More

Ryuk’s Return

Ryuk’s Return

Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More

NetWalker Ransomware in 1 Hour

NetWalker Ransomware in 1 Hour

The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More

Dridex – From Word to Domain Dominance

Dridex – From Word to Domain Dominance

Ransomware Again…But We Changed the RDP Port!?!?!

Ransomware Again…But We Changed the RDP Port!?!?!

Here’s another example of threat actors brute forcing RDP to install ransomware, this time the brute forced system was not using the default RDP port. The threat actors installed ransomware … Read More

Translate

Proudly powered by WordPress | Theme: FreeNews | By ThemeSpiral.com.